[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 524
  • Last Modified:

Active Directory Remote Users Prevent Cache Logon

Hello all,
I have been asked to find a solution for securing corporate PC information from access of remote personnel upon their termination, we are using VPN.
Basically, if the business terminates an employee they want to ensure the user will not be able to log in to the Laptop they were issued, and no longer onto the domain. The domain side is the easy part but how would I immediately be able to reach out and secure the machines for these remote users, so they can no longer log in with the cached credentials?
I was told of a way via SCCM that may facilitate but can find nothing related.
Please, any direction and help is appreciated because I do not want to be the next to be released here.

Kry
0
kryanC
Asked:
kryanC
  • 2
3 Solutions
 
R. Andrew KoffronCommented:
just need to set a group policy, and join the machines to the Domain prior to deployment,

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

 Network Access:
Do not allow storage of credentials or .NET Passports for network authentication

if you can recall machines pretty easy plug em in and force a gpupdate.  if they remain external I don't know how to fire it retroactively to external VPN clients I'm not sure, I'd think you'd have to create a local GPO update and a script to download it each machine and fire it locally. I've never had any consistent success getting things to work over VPN.

but going forward just make sure your initial deployment stops cacheing
0
 
MaheshArchitectCommented:
The above setting will stop cached login for working employees as well in home

Once you disabled user account for terminated user, make sure that you have disabled its mailbox, emails and any other logins (VPN, internet data card etc) it might have immediately

Now even if user is able to login offline with cached credentials, it can't do any thing practically
0
 
R. Andrew KoffronCommented:
keep in mind that policy changes need to be made updated by the log in process, so remote machines have already authenticated. when they get to the VPN stage, and If you remove caching, you'll need to set them to use a VPN/Dial-up in order to boot up/login, Prior to logging into the remote machine, and that will ONLY work when their internet connection is on and VPN is up and running, and may render machines completely useless unless each machine has a local profile, and a local profile wouldn't apply a domain Policy.

sort of a catch 22 I don't know a good way around it either.
0
 
kryanCAuthor Commented:
Thanks to all. Catch 22 is the best way of illustrating how to force it and kill there ability to work offline at the same time if I want to protect the data.
If anyone has a third party solution or any other ideas I would be interested because the "business" says that they are sure there is such a solution but can't remember what it is.
Thanks again,

Kry
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now